Thycotic’s Cyber Security Publication

January 19th, 2016

Recently, Adobe worked with us here at Thycotic to publish a use case document on how they’ve implemented Secret Server for enterprise password management within their application build environment. While the core message surrounding the ability to automate processes and remove the human error element is critical for Adobe and just about any other organization out there, I wanted to spend a couple of minutes highlighting one of the key success factors they found that helped make the automation process work: flexibility.

I hear from colleagues all over the world their struggle to find security tools and other products which ultimately lack the flexibility they need to support their particular environments. In some cases, it’s a problem of scope and scale. Large companies with highly virtualized environments must find ways to configure, patch, modify, and otherwise manage the thousands of systems they’re deploying globally and, more importantly, in accordance with their particular company’s policies or system requirements. As we all know, no two companies handle these things the same way, so why would you use software that only allows you to perform its functions in a single way?

In other cases, it may not be about size, but more about the peculiarities of that specific company’s needs and business processes. A patch management system that relies on an Active Directory implementation to deliver Windows patches does little good to an energy company that uses older Unix systems which aren’t bound to a Microsoft directory service. Not to mention the needs to isolate (often in a fully air-gapped configuration) these systems away from other parts of the network, which makes a tool that can only handle deploying patches in this dedicated way absolutely useless to an organization like this. It becomes imperative that the deployment tool be able to be customizable and flexible enough to support non-standard or uncommon configurations in order to allow the business to accomplish their mission.

It’s an old dilemma, really. Too often, organizations adjust and compromise their internal processes and methods to accommodate the tools they purchase when what we should be doing is demanding software that can accommodate our processes and methods our business requires. Software with the flexibility to provide good extensibility of function and form is the key piece that can turn a simple layer of defense in your security program into a powerful tool to build efficiency and reduce overall risk to the organization. Additionally, you get the added benefit of efficiency in not having to rewrite your internal processes, while your admins and other users can utilize a tool that supports the methods they are already familiar with and are trained to do. There is a huge overall benefit that can be realized by leveraging these kinds of tools.

So, what should we be looking for as part of our review processes for new tools? Well, as Adobe mentioned in the use case, security tools like Thycotic Secret Server, which have extensive APIs, are a great start. APIs allow you to automate most, if not all, of the administrative and rote tasks that are repeated constantly in your technology processes. Not only do you take away the human error problem, but you can accomplish these tasks far more quickly and at a much larger scale by leveraging API programming to automate these tasks. Additionally, look for tools that support the use of scripting to extend the functionality of what they can do. Most IT admins today rely heavily on scripting languages to automate their own day-to-day tasks, so why not leverage what’s already in place today? If a sysadmin has already written a Perl script to properly restart services on a target host after it’s patched, why wouldn’t you want your patch management tool to simply execute that existing script automatically whenever that system is patched? Being able to extend out the use of these security tools without having to re-write or recreate the functions enables you to make the most out of your investment without spending additional time and money to create new customized tools or worse, bringing in expensive consultants to make the tool do what you need.

Adobe has shown how effective and efficient processes can become when automated with the right toolset. Getting there, however, relied on the ability to be flexible enough to support their processes in the way they needed them to be executed. If you’re looking to find the same sort of efficiency benefits for your organization, make flexibility, and extensibility a requirement for any of your reviews of new tools no matter in what area of the organization they’re needed.